23-3 local disk with encryption (#1760)

* Fix depends (#1582)

* Show keyhash on monpage (#1587)

* Show keyhash on monpage

* Fix review issues

* Pass encryption key info to external-vhost server (#1622)

* Pass encryption key info to external-vhost server

* Fix and tests

* Fix review issues

* Fix race with background thread (#1641)

* Fix depends (#1654)

* Use smart pointers for memory mangement  (#1662)

* Small fixes

* Use unique_ptr for memory management

* Fix creation call

* Fix review issues

* Open endpoint with cgroups (#1671)

* VHost aio backend encryption (#1675)

* VHost aio backend encryption

* Log message on error

* Tests in server_ut.cpp

* Write zero blocks

* Return VHD_BDEV_IOERR on enryption/decryption error

* Abort process when can't get encryption key

* Tests

* Fix review issues

* Add test and clang-format

* Fix ASAN

* Remove unnecessary changes

* Fix tsan tests for vhost-server (#1682)

* Use backoff delay when restart external-vhost-server (#1698)

* Use backoff delay when restart external-vhost-server

* Make constants

* Do not write that we will restart if we are not going to do it

* Fix MSAN wrong assumption for AIO reading (#1719)

* Vhost server write encrypted zero blocks (#1728)

* Write encrypted zero-block

* Stats about encryptor errors and generated zero blocks

* Use constexpr

* Transfer critical events to NBS

* Fix typo

* Limit crit event storage size

* Fix review issues

* Fix test

* Fix compilation #1

* Fix compilation #2

* Fix compilation #3

* Fix compilation #4

* Fix compilation #5

cloud/blockstore/apps/client/lib/command.cpp

@@ -60,13 +60,6 @@ const TString DefaultIamTokenFile = "~/.nbs-client/iam-token";
 
 ////////////////////////////////////////////////////////////////////////////////
 
-static const TMap<TString, NProto::EEncryptionMode> EncryptionModes = {
-    { "no",         NProto::NO_ENCRYPTION       },
-    { "aes-xts",    NProto::ENCRYPTION_AES_XTS  },
-};
-
-////////////////////////////////////////////////////////////////////////////////
-
 TString ResolvePath(const TString& path)
 {
     if (path.StartsWith('~')) {
@@ -334,46 +327,6 @@ TString TCommand::NormalizeCommand(TString command)
     return command;
 }
 
-NProto::EEncryptionMode TCommand::EncryptionModeFromString(const TString& str)
-{
-    auto it = EncryptionModes.find(str);
-    if (it != EncryptionModes.end()) {
-        return it->second;
-    }
-
-    ythrow yexception() << "invalid encryption mode: " << str;
-}
-
-NProto::TEncryptionSpec TCommand::CreateEncryptionSpec(
-    NProto::EEncryptionMode mode,
-    const TString& keyPath,
-    const TString& keyHash)
-{
-    if (mode == NProto::NO_ENCRYPTION) {
-        if (keyHash || keyPath) {
-            throw yexception() << "invalid encryption options: "
-                << " set encryption mode or remove key hash and key path";
-        }
-        return {};
-    }
-
-    if (keyHash && keyPath) {
-        throw yexception() << "invalid encryption options: "
-            << " set key path or key hash, not both";
-    }
-
-    if (!keyHash && !keyPath) {
-        throw yexception() << "invalid encryption options: "
-            << " set key hash or key path or remove encryption mode";
-    }
-
-    NProto::TEncryptionSpec encryptionSpec;
-    encryptionSpec.SetMode(mode);
-    encryptionSpec.SetKeyHash(keyHash);
-    encryptionSpec.MutableKeyPath()->SetFilePath(keyPath);
-    return encryptionSpec;
-}
-
 NProto::TMountVolumeResponse TCommand::MountVolume(
     TString diskId,
     TString mountToken,

cloud/blockstore/apps/client/lib/command.h

@@ -142,13 +142,6 @@ class TCommand
 protected:
     virtual bool DoExecute() = 0;
 
-    static NProto::EEncryptionMode EncryptionModeFromString(const TString& str);
-
-    static NProto::TEncryptionSpec CreateEncryptionSpec(
-        NProto::EEncryptionMode mode,
-        const TString& keyPath,
-        const TString& keyHash);
-
     // For read/write/zero blocks requests
     NProto::TMountVolumeResponse MountVolume(
         TString diskId,

cloud/blockstore/apps/client/lib/create_volume.cpp

@@ -3,6 +3,7 @@
 #include "volume_manipulation_params.h"
 
 #include <cloud/blockstore/libs/common/public.h>
+#include <cloud/blockstore/libs/encryption/model/utils.h>
 #include <cloud/blockstore/libs/service/context.h>
 #include <cloud/blockstore/libs/service/request_helpers.h>
 #include <cloud/blockstore/libs/service/service.h>

cloud/blockstore/apps/client/lib/read_blocks.cpp

@@ -1,9 +1,9 @@
 #include "read_blocks.h"
 
 #include <cloud/blockstore/libs/client/session.h>
+#include <cloud/blockstore/libs/encryption/model/utils.h>
 #include <cloud/blockstore/libs/service/context.h>
 #include <cloud/blockstore/libs/service/service.h>
-
 #include <cloud/storage/core/libs/common/error.h>
 #include <cloud/storage/core/libs/common/guarded_sglist.h>
 #include <cloud/storage/core/libs/diagnostics/logging.h>

cloud/blockstore/apps/client/lib/start_endpoint.cpp

@@ -1,5 +1,6 @@
 #include "start_endpoint.h"
 
+#include <cloud/blockstore/libs/encryption/model/utils.h>
 #include <cloud/blockstore/libs/service/context.h>
 #include <cloud/blockstore/libs/service/request_helpers.h>
 #include <cloud/blockstore/libs/service/service.h>
@@ -110,6 +111,7 @@ class TStartEndpointCommand final
     TString EncryptionKeyHash;
     bool Persistent = false;
     TString NbdDeviceFile;
+    THashSet<TString> CGroups;
 
 public:
     TStartEndpointCommand(IBlockStorePtr client)
@@ -185,6 +187,10 @@ class TStartEndpointCommand final
         Opts.AddLongOption("nbd-device", "nbd device file which nbd-client connected to")
             .RequiredArgument("STR")
             .StoreResult(&NbdDeviceFile);
+
+        Opts.AddLongOption("cgroup", "cgroup to place into")
+            .RequiredArgument("STR")
+            .InsertTo(&CGroups);
     }
 
 protected:
@@ -231,6 +237,7 @@ class TStartEndpointCommand final
                     EncryptionKeyHash));
             request->SetPersistent(Persistent);
             request->SetNbdDeviceFile(NbdDeviceFile);
+            request->MutableClientCGroups()->Assign(CGroups.begin(), CGroups.end());
         }
 
         STORAGE_DEBUG("Sending StartEndpoint request");

cloud/blockstore/apps/client/lib/write_blocks.cpp

@@ -2,9 +2,9 @@
 
 #include <cloud/blockstore/libs/client/session.h>
 #include <cloud/blockstore/libs/common/iovector.h>
+#include <cloud/blockstore/libs/encryption/model/utils.h>
 #include <cloud/blockstore/libs/service/context.h>
 #include <cloud/blockstore/libs/service/service.h>
-
 #include <cloud/storage/core/libs/common/error.h>
 #include <cloud/storage/core/libs/common/sglist.h>
 #include <cloud/storage/core/libs/diagnostics/logging.h>

cloud/blockstore/apps/client/lib/ya.make

@@ -57,6 +57,7 @@ PEERDIR(
     cloud/blockstore/libs/common
     cloud/blockstore/libs/diagnostics
     cloud/blockstore/libs/encryption
+    cloud/blockstore/libs/encryption/model
     cloud/blockstore/libs/endpoint_proxy/client
     cloud/blockstore/libs/service
 

cloud/blockstore/apps/client/lib/zero_blocks.cpp

@@ -1,6 +1,7 @@
 #include "zero_blocks.h"
 
 #include <cloud/blockstore/libs/client/session.h>
+#include <cloud/blockstore/libs/encryption/model/utils.h>
 #include <cloud/blockstore/libs/service/context.h>
 #include <cloud/blockstore/libs/service/service.h>
 #include <cloud/storage/core/libs/common/error.h>

cloud/blockstore/libs/encryption/CMakeLists.linux-x86_64.txt

@@ -29,4 +29,5 @@ target_sources(blockstore-libs-encryption PRIVATE
   ${CMAKE_SOURCE_DIR}/cloud/blockstore/libs/encryption/encryption_service.cpp
   ${CMAKE_SOURCE_DIR}/cloud/blockstore/libs/encryption/encryption_test.cpp
   ${CMAKE_SOURCE_DIR}/cloud/blockstore/libs/encryption/encryptor.cpp
+  ${CMAKE_SOURCE_DIR}/cloud/blockstore/libs/encryption/model/utils.cpp
 )

cloud/blockstore/libs/encryption/model/utils.cpp

@@ -0,0 +1,69 @@
+#include "utils.h"
+
+#include <util/generic/map.h>
+#include <util/generic/yexception.h>
+
+namespace NCloud::NBlockStore {
+
+namespace {
+
+///////////////////////////////////////////////////////////////////////////////
+
+const TMap<TString, NProto::EEncryptionMode> EncryptionModes = {
+    {"no", NProto::NO_ENCRYPTION},
+    {"aes-xts", NProto::ENCRYPTION_AES_XTS},
+};
+
+}   // namespace
+
+NProto::EEncryptionMode EncryptionModeFromString(const TString& str)
+{
+    auto it = EncryptionModes.find(str);
+    if (it != EncryptionModes.end()) {
+        return it->second;
+    }
+
+    ythrow yexception() << "invalid encryption mode: " << str;
+}
+
+TString EncryptionModeToString(NProto::EEncryptionMode encryptionMode)
+{
+    for (const auto& [key, value]: EncryptionModes) {
+        if (value == encryptionMode) {
+            return key;
+        }
+    }
+    ythrow yexception() << "invalid encryption mode: "
+                        << static_cast<int>(encryptionMode);
+}
+
+NProto::TEncryptionSpec CreateEncryptionSpec(
+    NProto::EEncryptionMode mode,
+    const TString& keyPath,
+    const TString& keyHash)
+{
+    if (mode == NProto::NO_ENCRYPTION) {
+        Y_ENSURE(
+            keyHash.empty() && keyPath.empty(),
+            "invalid encryption options: set encryption mode or remove key "
+            "hash and key path");
+        return {};
+    }
+
+    Y_ENSURE(
+        keyHash.empty() || keyPath.empty(),
+        "invalid encryption options: set key path or key hash, not both");
+
+    Y_ENSURE(
+        keyHash || keyPath,
+        "invalid encryption options: set key hash or key path or remove "
+        "encryption mode");
+
+    NProto::TEncryptionSpec encryptionSpec;
+    encryptionSpec.SetMode(mode);
+    encryptionSpec.SetKeyHash(keyHash);
+    encryptionSpec.MutableKeyPath()->SetFilePath(keyPath);
+    return encryptionSpec;
+}
+
+}   // namespace NCloud::NBlockStore

cloud/blockstore/libs/encryption/model/utils.h

@@ -0,0 +1,16 @@
+#pragma once
+
+#include <cloud/blockstore/public/api/protos/encryption.pb.h>
+
+namespace NCloud::NBlockStore {
+
+NProto::EEncryptionMode EncryptionModeFromString(const TString& str);
+
+TString EncryptionModeToString(NProto::EEncryptionMode encryptionMode);
+
+NProto::TEncryptionSpec CreateEncryptionSpec(
+    NProto::EEncryptionMode mode,
+    const TString& keyPath,
+    const TString& keyHash);
+
+}   // namespace NCloud::NBlockStore

cloud/blockstore/libs/encryption/model/ya.make

@@ -0,0 +1,11 @@
+LIBRARY()
+
+SRCS(
+    utils.cpp
+)
+
+PEERDIR(
+    cloud/blockstore/public/api/protos
+)
+
+END()

cloud/blockstore/libs/encryption/ya.make

@@ -13,8 +13,9 @@ PEERDIR(
 
     cloud/blockstore/libs/common
     cloud/blockstore/libs/diagnostics
+    cloud/blockstore/libs/encryption/model
     cloud/blockstore/libs/service
-    
+
     cloud/storage/core/libs/common
     cloud/storage/core/libs/endpoints/keyring
 

cloud/blockstore/libs/endpoints_vhost/external_endpoint_stats.cpp

@@ -1,7 +1,7 @@
 #include "external_endpoint_stats.h"
 
 #include <cloud/blockstore/libs/diagnostics/server_stats.h>
-
+#include <cloud/storage/core/libs/diagnostics/critical_events.h>
 #include <cloud/storage/core/libs/diagnostics/max_calculator.h>
 
 #include <type_traits>
@@ -67,7 +67,8 @@ void BatchCompleted(
         request,
         requestStats["count"].GetUInteger(),
         requestStats["bytes"].GetUInteger(),
-        requestStats["errors"].GetUInteger(),
+        requestStats["errors"].GetUInteger() +
+            requestStats["encryptor_errors"].GetUInteger(),
         times,
         sizes);
 }
@@ -91,6 +92,17 @@ void TEndpointStats::Update(const NJson::TJsonValue& stats)
         stats["write"],
         ClientId,
         DiskId);
+
+    // Report critical events
+    if (stats.Has("crit_events")) {
+        for (const auto& event: stats["crit_events"].GetArray()) {
+            ReportCriticalEvent(
+                GetCriticalEventFullName(event["name"].GetString()),
+                event["message"].GetString(),
+                false   // verifyDebug
+            );
+        }
+    }
 }
 
 }   // namespace NCloud::NBlockStore::NServer